The Cyber Resilience Act (CRA): a new European regulatory framework for cybersecurity

Introduction

The European Union continues its ambition to strengthen the digital single market through a robust regulatory framework that places cybersecurity at its core. Following previous initiatives such as the NIS2 guideline and the Digital Operational Resilience Act (DORA)., is on December 10, 2024 the regulation on horizontal cybersecurity requirements for products with digital elements, or Regulation Cyber Resilience officially went into effect. This Cyber Resilience Act (CRA). has far-reaching implications for companies marketing "products with digital elements" in the European market.

The CRA is the First EU legislation to impose horizontal cybersecurity obligations for products with digital elements. It aims not only to protect consumers, but also to raise the overall level of cybersecurity within the internal market.

Purpose and scope of the CRA

The CRA applies to all products with digital elements, including both hardware and software that can be directly or indirectly connected to a network. For example.

• Internet of Things (IoT) devices such as smart thermostats or smart watches.
• Operating systems and applications for laptops, smartphones or servers.
• Software development kits (SDKs).
• Industrial automation products.
• And even AI applications, if connected to networks.

The scope is thus extremely broad, touching both classic IT players and manufacturers in sectors such as healthcare, mobility, energy or construction, once their products incorporate digital functionalities.

Exceptions are provided for products already covered by specific EU legislation, such as medical devices (MDR), aerospace products or automotive parts, provided they already contain similar cybersecurity requirements.

To whom does the CRA apply?

The CRA imposes obligations on various actors in the supply chain, including.

• Manufacturers Of products with digital elements.
• Importers and distributors of such products in the EU market.
• To a limited extent also open-source software providers, although these are largely outside the scope if the software is provided free of charge and non-commercially.

For Belgian companies that develop, sell or distribute digital products, it is therefore essential to check whether they are covered by this new regulation.

Read more about the impact of the CRA on software development.

Key obligations under the CRA

The CRA contains a series of ex-ante and ex-post obligations that cover the entire product life cycle.

1. Security requirements by design

Manufacturers must integrate cybersecurity from product design and development ("security by design and by default"). This includes.

• Protection against unauthorized access or tampering.
• Security updates must be able to be installed in a secure and automated manner.
• The software must be resistant to known vulnerabilities and have incident detection mechanisms.

2. Risk assessment and conformity assessment

Manufacturers are required to provide a cybersecurity risk assessment perform a conformity assessment of each product they wish to market. Depending on the risk class (standard or high risk), a product must undergo conformity assessment through.

• Internal technical documentation and self-certification.
• Or - for higher risk products - through a accredited conformity assessment body (Notified Body).

3. Vulnerability handling and reporting requirements

The CRA also introduces a mandatory vulnerability management system, including.

• Active monitoring of vulnerabilities throughout the product life cycle (at least 5 years).
• The obligation to serious vulnerabilities within 24 hours after discovery to report to the European Cybersecurity Agency (ENISA);
• Communication to users in the event of risks or necessary security updates.

4. Providing information to users

The manufacturer must provide clear and accessible information on.

• The expected life of the product.
• The period during which security updates will be delivered.
• Recommended security settings and procedures.

Relationship to other European regulations

The CRA is part of a broader strategy to strengthen digital resilience in the EU. It should be read in conjunction with other regulations, including.

• NIS2 guideline: for vital industries, with emphasis on operational security.
• DORA: for the financial sector.
• AI Act: if the digital product contains AI functionality.
• CE marking and product safety: products that meet the CRA requirements will bear the CE mark, indicating that they conform to European cybersecurity standards.

Timeline and transition period

Although the CRA entered into force on December 10, 2024, the obligations are not immediately applicable. A phased implementation is planned.

• June 11, 2026: Conformity assessment bodies must comply with the new requirements as of this date.
• Sept. 11, 2026: Manufacturers are required to report serious vulnerabilities and security incidents to the European Cybersecurity Agency (ENISA) as of this date.
• Dec. 11, 2027: The other obligations, including cybersecurity requirements for products and the duty of care for security updates, are in full effect from this date.

This transition period allows companies to adapt their products and processes to the new requirements and fully integrate cybersecurity into their product development and operations.

Sanctions for non-compliance

The Cyber Resilience Act provides significant penalties for companies that fail to comply.

• Violation of essential cybersecurity requirements or obligations: Fines can be as high as €15 million or 2.5% of total global annual sales, using the highest amount.
• Providing incorrect, incomplete or misleading information to notified bodies and supervisory authorities: This can also result in fines of up to €15 million or 2.5% of total global annual sales, depending on which amount is higher.

In addition to financial penalties, national authorities can take additional measures, such as recalling noncompliant products or imposing temporary or permanent sales bans. These strict enforcement measures underscore the importance for companies to comply with CRA requirements in a timely manner to minimize legal and financial risks.

What does this mean concretely for Belgian companies?

For Belgian companies developing, distributing or implementing digital products, it is important to:

• Already a internal audit process up their products in function of the CRA;
• The necessary cybersecurity practices and procedures implement, including vulnerability management;
• Consider whether they need to update their CE markings;
• Train legal and technical staff around the new obligations.

Although the CRA will not take effect until 2026, the act now essential. After all, product development processes are long and complex, and early preparation provides a competitive advantage and reduces the risk of market disruption.

Conclusion

The Cyber Resilience Act represents a significant step forward in strengthening digital security within the European Union. It is crucial for Belgian companies to start implementing the required measures in time to comply with the new regulations and ensure the security of their products.

Our attorneys are ready to assist you in analyzing CRA obligations, drafting internal procedures, or reconciling your CE compliance.